Video streaming service Netflix, which launched its services in the Netherlands last month, has found itself in violation of the Dutch Data Protection Act. However, as the company has chosen to headquarter itself in Luxembourg, the Dutch Data Protection Authority is unable to intervene on the matter.
The Netflix privacy violation is caused by a different interpretation of the definition of personal data. In its terms and conditions, the video streaming company states that it considers "personal data" to be data that can be traced back directly to an individual. However, under Dutch legislation, data that can indirectly be traced back to an individual — for instance, by linking it to other data — is considered to be personal data as well.
According to Dutch law, companies need customers' explicit consent to gather data that can indirectly be traced back to an individual, while Netflix only asks for consent for information that is directly linked to a user.
The Netherlands' secretary of state for education, Sander Dekker, considers the discrepancy a significant threat to the privacy of Dutch customers. "Netflix gathers so much information of its customers that this can be considered extremely sensitive personal data, as referred to in article 16 of the Data Protection Act," he wrote on the Dutch government website.
"There are strict regulations with regard to that, and customers must give their express consent for that, which, in case of Netflix, they have not. Under Dutch law, a user ID can also be considered personal data, whereas in the Netflix privacy statement, it is not considered as such.
"Moreover, Netflix gathers a lot of information about its viewers, in order to be able to offer them customised recommendations. If this information can be used to trace back religious or sexual preferences to the user, viewers must give their express consent for that information being gathered. There must be a specific button to confirm that, and Netflix doesn't provide that button."
As Netflix's European operations are based in Luxembourg, they're governed by Luxembourg's laws, rather than Dutch law. As a result, even though it offers its services in the Netherlands, the Dutch Data Protection Authority can't take action on any violations of the Dutch Data Protection Act by the company.
Had Netflix chosen to have its European base in the Netherlands, or indeed outside of Europe, the Dutch Data Authority could have intervened. However, businesses domiciled in Luxembourg constitute an exception, and their data processing methods can only be assessed under Luxembourg law.
Dutch MP Kees Verhoeven has called for Dekker to bring the matter to the attention of his Luxembourg counterpart, who could ask the country's Data Protection Authority to take action. Whether this will happen, of course, remains to be seen.
Netflix declined to comment.